summaryrefslogtreecommitdiff
path: root/source3/utils
diff options
context:
space:
mode:
authorGerald Carter <jerry@samba.org>2007-06-13 20:49:20 +0000
committerGerald (Jerry) Carter <jerry@samba.org>2007-10-10 12:23:19 -0500
commit4caefdf348857577343075ae647e29a0ac904ae0 (patch)
treed39cb0c6509235d6d370a097a7a55c085f07dc4b /source3/utils
parentbfbf08adfffc3967a2866626d8e54fb8849a841b (diff)
downloadsamba-4caefdf348857577343075ae647e29a0ac904ae0.tar.gz
samba-4caefdf348857577343075ae647e29a0ac904ae0.tar.bz2
samba-4caefdf348857577343075ae647e29a0ac904ae0.zip
r23474: Here's a small patch that disables the libkrb5.so replay cache
when verifying a ticket from winbindd_pam.c. I've found during multiple, fast, automated SSH logins (such as from a cron script) that the replay cache in MIT's krb5 lib will occasionally fail the krb5_rd_req() as a replay attack. There seems to be a small window during which the MIT krb5 libs could reproduce identical time stamps for ctime and cusec in the authenticator since Unix systems only give back milli-seconds rather than the micro-seconds needed by the authenticator. Checked against MIT 1.5.1. Have not researched how Heimdal does it. My thinking is that if someone can spoof the KDC and TDS services we are pretty hopeless anyways. (This used to be commit cbd33da9f78373e29729325bbab1ae9040712b11)
Diffstat (limited to 'source3/utils')
-rw-r--r--source3/utils/ntlm_auth.c2
1 files changed, 1 insertions, 1 deletions
diff --git a/source3/utils/ntlm_auth.c b/source3/utils/ntlm_auth.c
index 4a74db6b4a..a2b41660b5 100644
--- a/source3/utils/ntlm_auth.c
+++ b/source3/utils/ntlm_auth.c
@@ -1169,7 +1169,7 @@ static void manage_gss_spnego_request(enum stdio_helper_mode stdio_helper_mode,
status = ads_verify_ticket(mem_ctx, lp_realm(), 0,
&request.negTokenInit.mechToken,
&principal, NULL, &ap_rep,
- &session_key);
+ &session_key, True);
talloc_destroy(mem_ctx);